This Hacker has Implanted a Chip in his Body to Exploit your Android Phone

Plenty of people these days are prepared to augment their bodies with face furniture, piercings, rings and tattoos.

But would you implant a chip in your hand to show how easy it is to exploit an Android phone?

That’s what former US navy petty officer Seth Wahle did, in an attempt to demonstrate how business networks could be compromised.

Wahle took an NFC chip, similar to the kind found in many of today’s smartphones, and injected it between the thumb and finger of his left hand. According to Forbes, the injection was something of an eye-watering experience.

But implants aren’t for the squeamish. Wahle says the needle was bigger than he’d expected when he had the chip implanted by an “unlicensed amateur” for $40, enough to make him want to vomit. He says he had to go through a backstreet operation due to Florida’s restrictive body modification laws.

Unfortunately for lovers of Hollywood techno-thrillers, the attack itself is fairly lame.

As the article in Forbes describes, for the exploit to be successful the victim has to click on a link sent to his Android device by the implanted NFC chip:

It has an NFC (Near Field Communications) antenna that pings Android phones, asking them to open a link. Once the user agrees to open that link and install a malicious file, their phone connects to a remote computer, the owner of which can carry out further exploits on that mobile device. Put simply, that Android device is compromised. In a demo for FORBES, Wahle used the Metasploit penetration testing software on his laptop to force an Android device to take a picture of his cheery visage.

My feeling is that the typical user would be suspicious of an unusual link popping up unexpectedly on their screen (just as the beardy hacker-type guy approaches) and not necessarily click on it.

If it were possible to use a little more social engineering in the link’s delivery – which, after all, is what would be possible if the attack was delivered via email without having to put the hacker at risk of physical proximity – then it would be more likely to succeed I would wager.

Nonetheless, with many Android devices suffering from a shockingly bad patching infrastructure there remains the potential for serious vulnerabilities to remain on a high proportion of devices, that could potentially be exploited in future attacks of this kind.

And, of course, it can just as easily be delivered by somebody clean-shaven wearing a suit as a guy with a hipster beard wearing a Metallica t-shirt.

It should be noted that Seth Wahle is not the first person to make a splash in the world of computer security after injecting a chip into their body.

During the late 1990s and early years of this century, Professor Kevin Warwick of Reading University was dubbed “Captain Cyborg” by some in the media for his attention-grabbing claims after he embedded NFC chips into his body to open doors, and at one point claimed (rather fancifully and inaccurately) to be the first human to be “infected with a computer virus”.

You have to also ask yourself in what limited scenarios would having an NFC chip embedded inside your body be preferable to, say, having it hidden in your watch or your the back pocket of your jeans.

Editor’s Note:The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Why not just use a (disposable) NFC sticker instead? If it's a simple macro…

Jimbo

Very simple answer. Notoriety! This is a relatively harmless way to ensure you get your face splashed across the press. Can't do harm if he wants a career in infosec. I'd do it just to prank my colleagues or for security awareness in an organisation.

Because as implantable chips become more powerful, the exploits will, too. Better to draw attention to it now and have people start thinking about it than later when the embedded chip doesn't need another computer to finish the job.

PaulieD

If he could accomplish this with a hand implanted device, what pray tell would one be able to accomplish with a penile implant?! At least then we could call it an "injection" attack.

MrMan

I prefer the idea of the woman who had rare earth magnets implanted in her fingertips – she could feel electric currents with her fingers! Or at least she could until they broke apart and entered her circulatory system – that'll make for interesting times if she ever needs an MRI.